Revocation is Essential
RSA 2012 has lived up to expectations with some great thought-provoking presentations. Tuesday morning I attended “Revocation Checking for Digital Certificates: Why Won’t It Work?” moderated by Kirk Hall. Kirk and the other panellists clearly described the shortcomings of revocation checking by CRLs or OCSP and why all modern browsers “soft-fail” if they can’t get a revocation response. They also detailed a number of proposed improvements, and the pros and cons of each.
At Symantec, we believe that revocation checking is essential. That’s why we’ve invested heavily in building a highly-available, massive scale infrastructure to serve our CRLs and OCSP responses. Today our infrastructure supports over 3.5 Billion OCSP lookups every day. We’re an active part of the CA/Browser Forum, including the working group that will study improvements in revocation checking. It’s a great topic that has the potential to make a big difference in the safety and security of everyone’s online transactions.